Properly check X-Requested-With header in case of multiple values

Saw this happening in IE8...

diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 4f319770234b20d1e04ebe1c8dd237293e68cf4b..7f4f4a531b139ee0d0d6c2f602304b15ab32251e 100644 (file)
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -160,7 +160,7 @@ class Auth extends AbstractBasic {
                        return [true, $this->principalPrefix . $user];
                }
 
-               if (!$this->userSession->isLoggedIn() && $request->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+               if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
                        // do not re-authenticate over ajax, use dummy auth name to prevent browser popup
                        $response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
                        $response->setStatus(401);